Add RFC1918_STRICT Option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1994 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-03-10 23:22:47 +00:00
parent 88745ab74c
commit c085d04185
2 changed files with 24 additions and 0 deletions

View File

@ -21,6 +21,8 @@ Changes in 2.2.2
9) Fix installer's handling of action.* files. 9) Fix installer's handling of action.* files.
10) Implement RFC1918_STRICT
Changes in 2.2.1 Changes in 2.2.1
1) Add examples to the zones and policy files. 1) Add examples to the zones and policy files.

View File

@ -45,6 +45,28 @@ New Features in version 2.2.2
with "multiport match", a separate iptables rule will be generated with "multiport match", a separate iptables rule will be generated
for each element in the list. for each element in the list.
5) Traditionally, the RETURN target in the 'rfc1918' file has caused
'norfc1918' processing to cease for a packet if the packet's source
IP address matches the rule. Thus, if you have:
SUBNETS TARGET
192.168.1.0/24 RETURN
then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even
though you also have:
SUBNETS TARGET
10.0.0.0/8 logdrop
Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic
to be logged and dropped since while the packet's source matches the
RETURN rule, the packet's destination matches the 'logdrop' rule.
If not specified or specified as empty (e.g., RFC1918_STRICT="")
then RFC1918_STRICT=No is assumed.
WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables
support 'conntrack state' match.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Problems corrected in version 2.2.1 Problems corrected in version 2.2.1